Radiology PACS (Picture Archiving and Communications System) - IT security

Background
Malicious software infection that affected a radiology PACS (Picture Archiving and Communications System) was reported to the MHRA. A hospital PACS system became infected when a hospital member of staff inadvertently loaded personal information without knowing that the source media contained a virus. It spread and infected the PACS servers. Although this occurred in 2001, it is possible that this could happen on current systems if adequate safeguards are not in place.

Best practice
It is essential that effective anti-virus measures, including the implementation of regularly updated detection and recovery software, are implemented and managed at points where any malicious code may enter a system or network.

Staff with responsibilities for IT security should ensure that they have a system in place which prevents attack of networked clinical systems (including PACS and imaging devices) from malicious software. This might include such measures as:

• Requiring that all systems are locked down to run the minimum number of services required to fulfil their function.
• Ensuring that all systems run appropriate ‘on access’ virus detection software that is maintained up to date.
• Agreeing with suppliers (including National Programme for IT Service Providers) a strategy for applying critical security updates in a timely and safe manner. Whilst updates should not be applied to medical devices without the express approval of the supplier, manufacturers should be expected to evaluate and approve updates (or deem them inappropriate) in a reasonable timeframe.
• Providing a centrally managed server for the automated distribution of software patches and updates onto client PCs. This service might also potentially update medical devices as part of the above strategy.
• Considering the use for firewalls between critical clinical and general networks.
• Agreeing with suppliers on ways to prevent unauthorised use of workstations. This could include restricting workstations to allow image viewing but not allow image files, which may be infected, to be loaded onto network servers.
• Considering other measures, such as software which analyses the behaviour of servers, networks and desktops.
• Implementing a procedure to ensure that third-party service providers adhere to hospital IT security requirements when connecting test equipment such as portable computers directly to scanners or other systems connected to the hospital’s IT network; such connections are a necessary part of normal service practice.
• Complying with the requirements of latest NHS CfH policy and guidance on Information Security Policy (currently July 2006), Security Policy Extension Notice SPEN2004/04

Please contact Cliff Double or Richard Glover if you need more information.